[ome-devel] LDAP error logging

Josh Moore josh at glencoesoftware.com
Tue Jan 18 07:29:05 GMT 2011 

Hi Mike,

I agree that the logging is not nearly as useful as it needs to be. I've added a ticket to improve ldap logging support:

  http://trac.openmicroscopy.org.uk/omero/ticket/3892

However, could it be the missing "o" from your "omero.ldap.username" causing the problem? Or is that just a cut-n-paste artifact? If that doesn't clear things up, I'll create a test with a space in the username and see if I can reproduce your problems.

Cheers,
~Josh

On Jan 17, 2011, at 9:56 PM, McCaughey, Michael J wrote:

> Josh-
> bin/omero config get (less password) returns:
> omero.ldap.base=ou=people,dc=vanderbilt,dc=edu
> omero.ldap.config=true
> omero.ldap.urls=ldaps://ldap.vanderbilt.edu:636
> mero.ldap.username=uid=myuser,ou=special users,dc=vanderbilt,dc=edu
> omero.ldap.user_mapping=omeName=uid,firstName=givenName,lastName=sn,email=mail
> 
> Setting log level to DEBUG adds only the following to a failed logon attempt:
> 
> 2011-01-17 14:48:54,452 INFO  [.ldap.DefaultSpringSecurityContextSource] (      main)  URL 'ldaps://ldap.vanderbilt.edu:636', root DN is ''
> 2011-01-17 14:48:54,486 DEBUG [.ldap.core.support.AbstractContextSource] (      main) AuthenticationSource not set - using default implementation
> 2011-01-17 14:48:54,486 DEBUG [.ldap.core.support.AbstractContextSource] (      main) Using LDAP pooling.
> 2011-01-17 14:48:54,487 DEBUG [.ldap.core.support.AbstractContextSource] (      main) Trying provider Urls: ldaps://ldap.vanderbilt.edu:636/ou=people,dc=vanderbilt,dc=edu
> 2011-01-17 14:48:54,501 DEBUG [amework.aop.framework.JdkDynamicAopProxy] (      main) Creating JDK dynamic proxy: target source is HotSwappableTargetSource for target: org.springframework.security.ldap.DefaultSpringSecurityContextSource at 70a0afab
> 
> 
> One of the ou= has a space in the value, will that break anything?
> 
> Mike
> ________________________________________
> From: Josh Moore [josh at glencoesoftware.com]
> Sent: Monday, January 17, 2011 1:30 PM
> To: McCaughey, Michael J
> Cc: ome-devel at lists.openmicroscopy.org.uk
> Subject: Re: [ome-devel] LDAP error logging
> 
> On Jan 17, 2011, at 7:44 PM, McCaughey, Michael J wrote:
> 
>> Hello-
> 
> Hi Mike,
> 
>> I'm trying to configure ldap support on 4.2.2 (platform is fedora 12).  Our local ldap service is functional, and my test server can at least ping it.  I can execute ldapsearch from a command line using the same credentials I provide in omero.properties, so I think that's correct. Using ldapsearch with known good username and the exisitng filter as specified in omero.properties  (i.e. (&(objectClass=person)(uid=cisr1))) returns a single result.
>> Java truststore has the CA of the provider (all that is required to reach our ldap box) plus local; keystore is set up as well.
>> 
>> When I try to logon with users known to ldap from the insight client, I either get an logon failure or the client hangs forever.  I the case of the logon error, I can see from the log file that it's trying to vet the password:
>> 
>> 2011-01-14 11:57:40,917 INFO  [        ome.services.util.ServiceHandler] (l.Server-8)  Executor.doWork -- ome.services.sessions.SessionManagerImpl.executeCheckPasswordRO(cisr1)
>> 2011-01-14 11:57:40,917 INFO  [        ome.services.util.ServiceHandler] (l.Server-8)  Args:    [null, ome.tools.spring.InternalServiceFactory at 3486a602]
>> 2011-01-14 11:57:40,924 INFO  [         ome.security.basic.EventHandler] (l.Server-8)  Auth:    user=0,group=0,event=null(Sessions),sess=32696c27-5b72-4a39-b86c-8b6fcb71440d
>> 2011-01-14 11:57:40,928 INFO  [                 org.perf4j.TimingLogger] (l.Server-8) start[1295027860917] time[11] tag[omero.call.success.ome.services.sessions.SessionManagerImpl$7.doWork]
>> 2011-01-14 11:57:40,928 INFO  [        ome.services.util.ServiceHandler] (l.Server-8)  Rslt:    false
>> 
>> However, this doesn't really tell me *where* it's trying to check the credentials.  The hung login logs nothing at all.
>> Pre-creating the experimenter account does not help.
>> 
>> Is there a way to turn on more extensive logging so I can determine what's gone off in the process?
> 
> There is some minimal logging that will be added by modifying the line:
> 
> <category name="org.springframework"> <priority value="WARN"/> </category>
> 
> in etc/log4j.xml to say "DEBUG" rather than "WARN". (This doesn't require a restart).
> 
> You can then grep your logs for "ldap". This will only make sure that you are using the right URL and similar, though I expected there to be much more logging from the Spring libraries. I'll keep looking for a better method. At the same time, could you possibly show us your configuration, i.e. the output of bin/omero config get? E.g.
> 
> ~/code/git/dist $ bin/omero config get | grep ldap | grep -v pass
> omero.ldap.base=ou=lifesci,o=dundee
> omero.ldap.config=true
> omero.ldap.urls=ldap://localhost:1389
> 
> Be sure, of course, to change any sensitive information.
> 
> Cheers,
> ~Josh
> 
>> Thanks,
>> Mike
>

More information about the ome-devel mailing list